How to Leverage Penetration Testing for Cyber Security Assessments

With cyber security high on banks’ priority lists, penetration testing provides an avenue for finding and eliminating vulnerabilities.

The recent wave of high profile data breaches and Internet of Things attacks has put organizations – especially financial institutions – under extraordinary pressure to ensure that their systems are secure and their data is protected.

For banks and other financial institutions, this means conducting regular security assessments of their systems in order to check for vulnerabilities, and to comply with the Payment Card Industry Data Security Standard (PCI DSS). A part of these assessments may include a network penetration test (pentest).

Timber Wolfe, TrainACE

A pentest test involves scanning a bank’s system and networks for vulnerabilities, then possibly attempting to exploit them to see if access may be gained. Pentests are unique because they involve using the same attack techniques often employed by attackers. This may involve a scan of an IP addresses to identify machines with known vulnerabilities or exploiting vulnerabilities in an unpatched system.

Two types of pentests are black box and white box testing. No prior knowledge of the corporate system is given to the third party tester in a black box scenario. The black box method is an accurate simulation of how a hacker would typically see a network and attempt to break into it, so it tends to be the preferred method of testing. In a white box test, the tester is given information about the network, systems on it, and source code files in order to identify weaknesses from any of the available information.

For banks and financial institutions, a pentest is useful for gaining security assurance of critical web facing systems. Additionally, it is also one technique used within an assessment for meeting PCI DSS compliance when operating an online payments system. Regardless of why it’s conducted, a pentest requires specific certifications and documentation.

The PCI Security Standards Council (SSC) manages programs that facilitate the assessment of compliance with the PCI DSS. They have created certifications for: Qualified Security Assessors (QSA) - companies or individuals that are qualified by the PCI SSC to perform PCI DSS assessments; Approved Scanning Vendors (ASV) – vendors qualified to scan PCI ecosystem networks for vulnerabilities. They may use QSAs or approved appliances to perform the scanning; and Internal Security Assessor (ISA) – certification for larger members of the PCI ecosystem wishing to perform their own internal audits.

Pentests should not be taken lightly. If done improperly, they can have serious negative impacts on a network. A poor pentest can cause systems crashing, or worst, can result in compromise of the systems by unauthorized attackers. Only highly qualified and trusted individuals should perform pentests. This is why the PCI SSC requires strict training and standardization for pentesting as part of a security assessment.

There are three phases of assessment: assess, remediation, and reporting. Assessment involves identifying cardholder data, taking an inventory of IT, and reviewing business processes involved in payment card processing, and then analyzing them for vulnerabilities that could expose cardholder data. Pentesting is done in this phase. Remediation involves mitigating vulnerabilities identified in the assessment phase. Reporting involves compiling and submitting required remediation validation records and compliance reports. Reporting is also the official mechanism by which banks and financial institutions verify compliance with the DSS to their respective card brand.

A minimal report on compliance, or ROC, should include the following: an executive summary, a description of scope of work and approach taken and details of the reviewed environment. This could include network diagrams, description of bank environment, network segmentation used, entities requiring compliance with PCI DSS, version of PCI DSS used to conduct the assessment, contact information, report date, quarterly scan results performed by an ASV, and findings and observations.

Because a pentest is an attempt to crack or expose the security of system, it is not a considered full security audit. After conducting a pentest, it’s important to remember that the results are temporary, and it is just one view of a system’s security at a single moment in time. System vulnerabilities and weakness can change and/or newly appear shortly after a pentest is conducted.

Cyber crooks and the techniques they employ are constantly changing, costing banks and businesses billions of dollars each year. Despite its drawbacks and limited applications, pentesting is a useful exercise for ensuring better bank security. If done safely and properly, it’s a small price to pay for banks and financial institutions to keep their web facing systems properly secured. What’s more, compliance through pentesting further provides the bank customers with peace of mind and continued faith in the PCI ecosystem by helping to keep their financial data protected.

re: How to Leverage Penetration Testing for Cyber Security Assessments

I've heard a lot about how fraudsters techniques and strategies are evolving, with different groups and individuals specializing in different fraud areas. As threats become more sophisticated and varied, pentests could help banks start to think like the fraudsters by analyzing vulnerabilities that the fraudsters. That seems like an important step in improving cyber security.